Skip to site navigation (Press enter)

[webkit-changes] [108417] trunk

rniwa Tue, 21 Feb 2012 16:42:14 -0800

Title: [108417] trunk

Revision: 108417
Author: [email protected]
Date: 2012-02-21 16:42:37 -0800 (Tue, 21 Feb 2012)

Log Message

Assertion failure in TextIterator::handleTextBox
https://bugs.webkit.org/show_bug.cgi?id=78530


Source/WebCore: 

Reviewed by Eric Seidel.

The assertion failure was caused by handleTextNodeFirstLetter's updating m_text without clearing
m_sortedTextBoxesPosition. Re-structured handleTextNode so that we always reset m_sortedTextBoxesPosition
when we have a first-letter.

Test: editing/text-iterator/rtl-first-letter-text-iterator-crash.html

* editing/TextIterator.cpp:
(WebCore::TextIterator::handleTextNode):
(WebCore::TextIterator::handleTextBox):
(WebCore::TextIterator::handleTextNodeFirstLetter):

LayoutTests: 

Reviewed by Enrica Casucci.

Add a regression test. Also rebaseline a crash test.

* editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt: Added.
* editing/text-iterator/rtl-first-letter-text-iterator-crash.html: Added.
* editing/text-iterator/rtl-selection-crash-expected.txt:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/TextIterator.cpp

Added Paths

trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt
trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (108416 => 108417)


--- trunk/LayoutTests/ChangeLog	2012-02-22 00:38:06 UTC (rev 108416)
+++ trunk/LayoutTests/ChangeLog	2012-02-22 00:42:37 UTC (rev 108417)
@@ -1,3 +1,16 @@
+2012-02-15  Ryosuke Niwa  <[email protected]>
+
+        Assertion failure in TextIterator::handleTextBox
+        https://bugs.webkit.org/show_bug.cgi?id=78530
+
+        Reviewed by Enrica Casucci.
+
+        Add a regression test. Also rebaseline a crash test.
+
+        * editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt: Added.
+        * editing/text-iterator/rtl-first-letter-text-iterator-crash.html: Added.
+        * editing/text-iterator/rtl-selection-crash-expected.txt:
+
 2012-02-21  Adam Klein  <[email protected]>
 
         ContainerNode::childrenChanged must be called immediately after removing children

Added: trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt (0 => 108417)


--- trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash-expected.txt	2012-02-22 00:42:37 UTC (rev 108417)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html (0 => 108417)


--- trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html	2012-02-22 00:42:37 UTC (rev 108417)
@@ -0,0 +1,31 @@
+<style>
+  #el0 {
+    visibility: collapse;
+  }
+  #el1::first-letter {
+    height: 1;
+</style>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function crash(){
+    el0=document.createElement('div')
+    document.body.appendChild(el0)
+    el0.setAttribute('id','el0')
+    el1=document.createElement('div')
+    document.body.appendChild(el1)
+    el1.setAttribute('id','el1')
+    el0.appendChild(document.createTextNode(unescape(Array(40).join('A')+'%ufed5')));
+    el1.appendChild(document.createTextNode(unescape('A%u074b')));
+    document.body.offsetTop;
+    setTimeout(function () {
+        document.body.innerHTML = "PASS. WebKit didn't crash.";
+        layoutTestController.notifyDone();
+    }, 0);
+}
+window.scrollTop;
+window._onload_=crash
+</script>

Modified: trunk/Source/WebCore/ChangeLog (108416 => 108417)


--- trunk/Source/WebCore/ChangeLog	2012-02-22 00:38:06 UTC (rev 108416)
+++ trunk/Source/WebCore/ChangeLog	2012-02-22 00:42:37 UTC (rev 108417)
@@ -1,3 +1,21 @@
+2012-02-15  Ryosuke Niwa  <[email protected]>
+
+        Assertion failure in TextIterator::handleTextBox
+        https://bugs.webkit.org/show_bug.cgi?id=78530
+
+        Reviewed by Eric Seidel.
+
+        The assertion failure was caused by handleTextNodeFirstLetter's updating m_text without clearing
+        m_sortedTextBoxesPosition. Re-structured handleTextNode so that we always reset m_sortedTextBoxesPosition
+        when we have a first-letter.
+
+        Test: editing/text-iterator/rtl-first-letter-text-iterator-crash.html
+
+        * editing/TextIterator.cpp:
+        (WebCore::TextIterator::handleTextNode):
+        (WebCore::TextIterator::handleTextBox):
+        (WebCore::TextIterator::handleTextNodeFirstLetter):
+
 2012-02-21  Yael Aharon  <[email protected]>
 
         Unreviewed build fix.

Modified: trunk/Source/WebCore/editing/TextIterator.cpp (108416 => 108417)


--- trunk/Source/WebCore/editing/TextIterator.cpp	2012-02-22 00:38:06 UTC (rev 108416)
+++ trunk/Source/WebCore/editing/TextIterator.cpp	2012-02-22 00:42:37 UTC (rev 108417)
@@ -487,25 +487,20 @@
         return true;
     }
 
-    if (!renderer->firstTextBox() && str.length() > 0) {
-        if (!m_handledFirstLetter && renderer->isTextFragment()) {
-            handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
-            if (m_firstLetterText) {
-                handleTextBox();
-                return false;
-            }
-        }
+    if (renderer->firstTextBox())
+        m_textBox = renderer->firstTextBox();
+
+    bool shouldHandleFirstLetter = !m_handledFirstLetter && renderer->isTextFragment() && !m_offset;
+    if (shouldHandleFirstLetter)
+        handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
+
+    if (!renderer->firstTextBox() && str.length() > 0 && !shouldHandleFirstLetter) {
         if (renderer->style()->visibility() != VISIBLE && !m_ignoresStyleVisibility)
             return false;
         m_lastTextNodeEndedWithCollapsedSpace = true; // entire block is collapsed space
         return true;
     }
 
-    
-    m_textBox = renderer->firstTextBox();
-    if (!m_handledFirstLetter && renderer->isTextFragment() && !m_offset)
-        handleTextNodeFirstLetter(static_cast<RenderTextFragment*>(renderer));
-
     if (m_firstLetterText)
         renderer = m_firstLetterText;
 
@@ -562,6 +557,7 @@
                 nextTextBox = m_sortedTextBoxes[m_sortedTextBoxesPosition + 1];
         } else 
             nextTextBox = m_textBox->nextTextBox();
+        ASSERT(!nextTextBox || nextTextBox->renderer() == renderer);
 
         if (runStart < runEnd) {
             // Handle either a single newline character (which becomes a space),
@@ -630,6 +626,7 @@
             m_handledFirstLetter = true;
             m_remainingTextBox = m_textBox;
             m_textBox = firstLetter->firstTextBox();
+            m_sortedTextBoxes.clear();
             m_firstLetterText = firstLetter;
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes